Skip to main content

phoenix_storybook CVE-2026-47068

| EUVDEUVD-2026-31111 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-20 6b3ad84c-e1a6-4bf7-a703-f496b71e49db GHSA-mrhx-6pw9-q5fh
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 20, 2026 - 15:17 EUVD
Source Code Evidence Fetched
May 20, 2026 - 14:32 vuln.today
Analysis Generated
May 20, 2026 - 14:32 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.

'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.

This issue affects phoenix_storybook from 0.4.0 before 1.1.0.

AnalysisAI

Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

Technical ContextAI

phoenix_storybook is an Elixir Hex package that builds interactive component documentation playgrounds on top of Phoenix LiveView and Phoenix PubSub. The playground architecture uses a shared PhoenixStorybook.PubSub bus to coordinate between a parent StoryLive LiveView and an embedded ComponentIframeLive iframe: the iframe announces its process PID on a session-specific topic so the playground can direct control messages via Elixir send/2. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key) - handle_params/3 in component_iframe_live.ex consumed params["topic"] directly from the URL without verifying that the topic was generated by, or belongs to, the requesting session. The fix confirmed in commit 6ee03f1c replaces the raw topic query parameter with a cryptographically signed Phoenix.Token (salt: "phoenix_storybook:playground_topic", max_age: 86,400 seconds), ensuring only a server-generated token can authorize a topic binding. The parameter was renamed from "topic" to "playground_token" to make the change explicit at the protocol level.

RemediationAI

Upgrade phoenix_storybook to version 1.1.0 or later by updating mix.exs to specify {:phoenix_storybook, ">= 1.1.0"} and running mix deps.update phoenix_storybook. The fix is confirmed in commit 6ee03f1c at https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5, which introduces signed token verification for the playground topic parameter. If an immediate upgrade is not feasible and the storybook instance is not restricted to trusted users, restrict network access to the /storybook route at the reverse proxy level (e.g., nginx allow/deny directives or WAF IP allowlisting) - this eliminates the network-accessible attack vector without code changes, though it prevents any external access to the storybook interface. Note that exposing phoenix_storybook publicly is generally inadvisable regardless of this CVE. Full advisory details are at https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh.

Share

CVE-2026-47068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy